Client Access Link Problem

RYHS · October 13, 2020, 7:48pm

Hello,

There are 9 WANs connected to the router. There are clients working on the pppoe server that I define cgnat and public ip. However, some of these clients want to establish a link with each other over public ip or private ip. Unfortunately, they cannot access each other. Where am I going wrong?

Thank you

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE1 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE1
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE1 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE1
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE2 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE2
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE2 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE2
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE3 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE3
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE3 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE3
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE4 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE4
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE4 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE4
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE5 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE5
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE5 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE5
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE6 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE6
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE6 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE6
add action=mark-routing chain=prerouting new-routing-mark=To_TLC_SSR02_DEVRE7 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE7
add action=mark-connection chain=prerouting new-connection-mark=Connection_TLC_SSR02_DEVRE7 passthrough=yes src-address-list=USER_TLC_SSR02_DEVRE7
add action=mark-routing chain=prerouting connection-nat-state="" new-routing-mark=To_DAG_SOL passthrough=yes src-address-list=USER_DAG_SOL
add action=mark-connection chain=prerouting new-connection-mark=Connection_DAG_SOL passthrough=yes src-address-list=USER_DAG_SOL
add action=mark-routing chain=prerouting new-routing-mark=To_DAG_SOL passthrough=yes src-address-list=Metro_92.xxx.xxx.xxx
add action=mark-connection chain=prerouting new-connection-mark=Connection_DAG_SOL passthrough=yes src-address-list=Metro_92.xxx.xxx.xxx


/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE1 src-address-list=USER_TLC_SSR02_DEVRE1
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE2 src-address-list=USER_TLC_SSR02_DEVRE2
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE3 src-address-list=USER_TLC_SSR02_DEVRE3
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE4 src-address-list=USER_TLC_SSR02_DEVRE4
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE5 src-address-list=USER_TLC_SSR02_DEVRE5
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE6 src-address-list=USER_TLC_SSR02_DEVRE6
add action=masquerade chain=srcnat comment="masquerade pppoe network" out-interface=TLC_SSR02_DEVRE7 src-address-list=USER_TLC_SSR02_DEVRE7
add action=masquerade chain=srcnat comment="masquerade pppoe network" src-address-list=Metro_92.xxx.xxx.xxx

/ip route
add distance=1 gateway=TLC_SSR02_DEVRE1 routing-mark=To_TLC_SSR02_DEVRE1
add distance=1 gateway=TLC_SSR02_DEVRE2 routing-mark=To_TLC_SSR02_DEVRE2
add distance=1 gateway=TLC_SSR02_DEVRE3 routing-mark=To_TLC_SSR02_DEVRE3
add distance=1 gateway=TLC_SSR02_DEVRE4 routing-mark=To_TLC_SSR02_DEVRE4
add distance=1 gateway=TLC_SSR02_DEVRE5 routing-mark=To_TLC_SSR02_DEVRE5
add distance=1 gateway=TLC_SSR02_DEVRE6 routing-mark=To_TLC_SSR02_DEVRE6
add distance=1 gateway=TLC_SSR02_DEVRE7 routing-mark=To_TLC_SSR02_DEVRE7
add distance=1 gateway=92.xxx.xxx.xxx routing-mark=To_DAG_SOL
add comment="YEDEK ROUTE HAT 1" distance=1 gateway=TLC_SSR02_DEVRE1
add comment="YEDEK ROUTE HAT 2" distance=2 gateway=TLC_SSR02_DEVRE2
add comment="YEDEK ROUTE HAT 3" distance=3 gateway=TLC_SSR02_DEVRE3
add comment="YEDEK ROUTE HAT 4" distance=4 gateway=TLC_SSR02_DEVRE4
add comment="YEDEK ROUTE HAT 5" distance=5 gateway=TLC_SSR02_DEVRE5
add comment="YEDEK ROUTE HAT 6" distance=6 gateway=TLC_SSR02_DEVRE6
add comment="YEDEK ROUTE HAT 7" distance=7 gateway=TLC_SSR02_DEVRE7
add comment="YEDEK ROUTE HAT METRO" distance=10 gateway=DAG_BONDING

sindy · October 13, 2020, 8:42pm

The routing-mark you assign identifies a routing table; each of these routing tables only contains a default route. Routes to the locally connected clients only exist in routing table main (which consists of routes with no routing-mark assigned), so they are not used for packets with any routing-mark assigned.

So you can either create an address-list of the CGNAT and public subnets you assign to the clients, named e.g. local-subnets, and add a match condition dst-address-list=!local-subnets to the mangle rules with action=mark-routing, in order to prevent the routing-mark from being assigned for packet from local clients to local clients. Or you can use /ip route rule rows like dst-address=local.sub.net.A/mask action=lookup-only-in-table table=main to supersede the routing-mark values eventually assigned by the mangle rules. Here, you need one row per local subnet, as address-lists are not supported by /ip route rule rows.

Other than that, given the way you assign the routing-mark values, there is no point in using connection-mark values as well - you never use matching to a connection-mark value anywhere.

RYHS · October 13, 2020, 9:37pm

The routing-mark you assign identifies a routing table; each of these routing tables only contains a default route. Routes to the locally connected clients only exist in routing table main (which consists of routes with no routing-mark assigned), so they are not used for packets with any routing-mark assigned.

So you can either create an address-list of the CGNAT and public subnets you assign to the clients, named e.g. local-subnets, and add a match condition dst-address-list=!local-subnets to the mangle rules with action=mark-routing, in order to prevent the routing-mark from being assigned for packet from local clients to local clients. Or you can use /ip route rule rows like dst-address=local.sub.net.A/mask action=lookup-only-in-table table=main to supersede the routing-mark values eventually assigned by the mangle rules. Here, you need one row per local subnet, as address-lists are not supported by /ip route rule rows.

Other than that, given the way you assign the routing-mark values, there is no point in using connection-mark values as well - you never use matching to a connection-mark value anywhere.

My problem is solved with the route rule. thank you so much.